Structural vulnerabilities - What are they and why do they matter?
Vulnerability scanners often report large numbers of vulnerabilities in corporate IT systems. For the IT security manager, prioritising remediation activities is a problem. Prioritising by vulnerability scoring systems, such as the Common Vulnerability Scoring.
In this article, we show that determining whether vulnerabilities are structural requires a detailed knowledge of the system configuration. For all but the simplest systems, human analysis alone is a poor solution. However, new techniques and tools make detailed attack path analysis viable for corporate IT.